How to verify that my application uses latest rds-ca certificate for Amazon RDS

2
votes

I am working on a Rails application that is hosted on AWS-Beanstalk and uses RDS Aurora - PostgreSQL database.

My Application has 3 environments: Dev, Staging and Production

I saw this message on RDS console that says:

Update your Amazon RDS SSL/TLS certificates before March 5, 2020 To avoid interruption of your applications using RDS and Aurora databases, update the Certificate Authority (CA) certificates for these databases before March 5, 2020. We strongly recommend making your updates before February 5, 2020, to leave time for deployments, testing, and validation. New databases created after January 14, 2020, will default to using the new CA certificates. Make sure that you update your client applications with the new certificates first.

Later I saw that Dev and Staging's RDS instance are already upgraded to the latest SSL certificate and this message is appearing only for Production's RDS instance

So I tried to bring Dev and Staging's RDS instance to use older SSL certificate (Same as production's one) -> Downloaded the latest certificate file from https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html and then inside my config/database.yml appended these 2 lines:

production:
  sslmode: 'verify-full'
  sslrootcert: /path/to/cert/file

After making this change, I deployed the changes on Dev -> Result: build succeeded. Then, from RDS console, I tried upgrading SSL cert of Dev instance to latest one and it worked

There are couple of things I would like to gain more clarity

  1. This change in YML file wasn't there before. It seems adding those lines making the environment less flexible. This can be avoid - But how?
  2. Initially when Dev and Staging's RDS instances were upgraded to latest SSL certs my app was working but I have no idea/clue that my Dev and Staging applications are using the latest SSL certificates or not! Is there any way I can confirm that my apps are also upgraded to latest SSL/TSL certs?
1
ruby-on-railspostgresqlamazon-elastic-beanstalkamazon-aurora
Hi, did you need any other help with this question or are you good?The-Big-K
hey @big-K I was originally intended to try the purposed stack you'd provided but unable to confirm you that this worked in my case since only 1 of my Application environment effected due to this and the entry in .yml file worked too. As far as flexibility of env is concerned, this is not an issue because we are not migrating from AWS to any other cloud infrastructure like heroku anytime soon. I would like to thank you for providing the steps and I am going to keep this handy as some of my co-workers may need this shortly (before March end)Puneet Pandey

1 Answers

0
votes

  1. RDS uses self signed certificates and hence you need to explicitly trust it in your client. Not sure which client setup you are running (I'm guessing RoR given the tags on the question), but basically you need to research on how you can add a private root CA cert into your trust store. If you had a Java client, then the way you'd do this is to download the rootCA cert file and explicitly add it to your java truststore (there are multiple ways to do this). You'd need to find the mechanism to do the same thing for your client stack, should be fairly straightforward to find that.

  2. Use openssl and talk to your DB endpoint from your client instance and describe your certificate. The certificate detail should list the issue date and expiry of your DB's certificate, and also the issuer CA's details. You need to confirm that the CA is the new 2019 (or 2020, not sure) RDS root CA.

Something like:

openssl s_client -showcerts -servername endpoint.goes.here -connect endpoint.goes.here:3306 2>/dev/null | openssl x509 -inform pem -noout -text